#!/usr/bin/python
################################################################ 
#       .___             __          _______       .___        # 
#     __| _/____ _______|  | __ ____ \   _  \    __| _/____    # 
#    / __ |\__  \\_  __ \  |/ // ___\/  /_\  \  / __ |/ __ \   # 
#   / /_/ | / __ \|  | \/    <\  \___\  \_/   \/ /_/ \  ___/   # 
#   \____ |(______/__|  |__|_ \\_____>\_____  /\_____|\____\   # 
#        \/                  \/             \/                 # 
#                   ___________   ______  _  __                # 
#                 _/ ___\_  __ \_/ __ \ \/ \/ /                # 
#                 \  \___|  | \/\  ___/\     /                 # 
#                  \___  >__|    \___  >\/\_/                  # 
#      est.2007        \/            \/   forum.darkc0de.com   # 
################################################################ 
# Greetz to all Darkc0de ,AI,ICW Memebers
#Shoutz to r45c4l,j4ckh4x0r,silic0n,smith,baltazar,d3hydr8,lowlz,Eberly,Sumit,zerocode,dalsim,7
#The application can be used to perform intial malware analysis phase.

import os,sys,re

if sys.platform == 'linux-i386' or sys.platform == 'linux2' or sys.platform == 'darwin':
	SysCls = 'clear'
elif sys.platform == 'win32' or sys.platform == 'dos' or sys.platform[0:5] == 'ms-dos':
	SysCls = 'cls'
else:
	SysCls = 'unknown'

os.system(SysCls)

print "\n|---------------------------------------------------------------|"
print "| beenudel1986[@]gmail[dot]com                                  |"
print "| Malware Analyser(Static) 1.0                                  |"
print "|   06/2009      analyse_malware.py                             |"
print "|   Do Visit     www.BeenuArora.com                             |"
print "|---------------------------------------------------------------|\n"

if (len (sys.argv) <2):
	print "\n Usage: ./malware_analyse.py <file_name>\n"
	sys.exit(0)

malware=sys.argv[1]
INTERESTING_CALLS = ["CreateMutex", "CopyFile", "CreateFile.*WRITE", "NtasdfCreateFile", "call shell32", "advapi32.RegOpenKey",
	"KERNEL32.CreateProcess", "shdocvw", "gethostbyname", "ws2_32.bind", "ws2_32.listen", "ws2_32.htons", 
	"advapi32.RegCreate", "advapi32.RegSet", "http://","Socket",
	"^([01]?\d\d?|2[0-4]\d|25[0-5])\.([01]?\d\d?|2[0-4]\d|25[0-5])\.([01]?\d\d?|2[0-4]\d|25[0-5])\.([01]?\d\d?|2[0-4]\d|25[0-5])",
	"OutputDebugString", 
	"FindWindow",
	"IsDebuggerPresent"
	]
REGISTRY_CALLS =["HKEY_CURRENT_USER","HKEY_CLASSES_ROOT","HKEY_LOCAL_MACHINE"]
ONLINE_WORK =["IRC","Joined channel","Port","BOT","Login","flood","ddos","NICK","ECHO","PRIVMSG","ADMIN","AWAY","CONNECT","KICK","LIST","MODE","MOTD","PING","POMG","QUIT","SERVLIST","SERVICE","NAMES","JOIN","INVITE","INFO","TRACE","USERHOST","WHO","WHOIS","VERSION"]
try:
	hosts= open(malware,'r').readlines()
except (IOError):
	print " \n\nSite List Missing ..Exiting :("
	sys.exit(0)

def start_analysis_system_calls():
	performed=[]
	for line in hosts:
		for calls in INTERESTING_CALLS:
			if re.search(calls, line):
				if not calls in performed:
					print "[+] Found an Interesting call to: ",calls
					performed.append(calls)

def start_analysis_registry():
	for line in hosts:
		for calls in REGISTRY_CALLS:
			if re.search(calls, line):
				print "[+] Malware is Adding a Key at Hive: ",calls
				print line
def start_analysis_online():
	performed=[]
	for line in hosts:
		for calls in ONLINE_WORK:
			if re.search(calls, line):
				if not calls in performed:
					print "[+] Malware Seems to be IRC BOT: Verified By String :",calls
					performed.append(calls)
				#print line

print "\n Analysing if PE file...\n"
check = file(malware, "rb")
buff = check.read(2)
check.close()
if buff == "MZ":
	print "\n[+] Valid PE file.\n"
	print "\n[!] Displaying Interesting System Calls Made.\n"
	start_analysis_system_calls()
	print "\n\n[!] Displaying Registry Hives Edited.\n"
	start_analysis_registry()
	print "\n\n[!] Displaying A Little Online Behaviour.\n"
	start_analysis_online()

else:
	print "[-]\n Not a Valid PE File. Exiting.!"
	sys.exit(0)
	
	




